registry  /  @devflow-tools/devflow  /  0.8.6

@devflow-tools/devflow@0.8.6

DevFlow - Developer Intelligence Platform (Distribution Package)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package unconditionally mutates a Claude Code hook configuration in the consuming project at install time. That installs a package-supplied PreToolUse hook over all Claude tool calls.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm install running package postinstall
Impact
Broad Claude Code control-surface mutation; subsequent tool calls execute package hook code that observes tool input and may deny tool use.
Mechanism
unconsented install-time AI-agent hook registration
Policy narrative
On installation, the postinstall script finds the consumer project root, creates .claude if needed, and writes .claude/hooks.json with a global PreToolUse entry executing the package's dist/hooks/pre-tool-use.js. When Claude Code later invokes tools, that hook parses tool input, sends telemetry to the configured DevFlow API URL or caches it under the user's home directory, and can return deny decisions for non-MCP tool calls under certain package state.
Rationale
This matches the firewall block policy for unconsented npm postinstall mutation of a foreign/broad AI-agent control surface. The behavior is package-aligned and mostly local, but the install-time Claude hook registration is concrete and does not require explicit user command setup.
Evidence
package.jsonscripts/postinstall.jsdist/hooks/pre-tool-use.jsbin/devflowdist/cli.jsdist/mcp-server.js.claude/hooks.json~/.devflow/telemetry-cache~/.devflow/current-skill.json~/.devflow/current-execution-id
Network endpoints2
localhost:13337127.0.0.1:13337

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.js
  • scripts/postinstall.js creates/updates consumer .claude/hooks.json during npm install
  • postinstall registers PreToolUse matcher '*' command: node dist/hooks/pre-tool-use.js
  • dist/hooks/pre-tool-use.js runs on Claude tool calls and sends tool_name/tool_input telemetry
  • hook can deny non-devflow tools when current skill requires MCP tools
Evidence against
  • network defaults are localhost http://localhost:13337 / http://127.0.0.1:13337
  • postinstall merges existing hooks and deduplicates its own command
  • no remote payload download or credential-file harvesting found in inspected files
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 5 file(s), 116 KB of source, external domains: 127.0.0.1

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
1#!/usr/bin/env node L2: import Vo,{unlinkSync,existsSync,readFileSync,rmSync,mkdirSync,writeFileSync,statSync,cpSync,readdirSync}from'fs';import xt,{dirname,join,resolve}from'path';import {homedir}from'os... L3: `)}var Q,cn,ee=Se(()=>{Oe();Q=Ee.default??Ee,cn=createRequire(import.meta.url);});function z(e){let o=join(e,".devflow","config.json");if(existsSync(o))try{let n=readFileSync(o,"ut...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: import Vo,{unlinkSync,existsSync,readFileSync,rmSync,mkdirSync,writeFileSync,statSync,cpSync,readdirSync}from'fs';import xt,{dirname,join,resolve}from'path';import {homedir}from'os... L3: `)}var Q,cn,ee=Se(()=>{Oe();Q=Ee.default??Ee,cn=createRequire(import.meta.url);});function z(e){let o=join(e,".devflow","config.json");if(existsSync(o))try{let n=readFileSync(o,"ut... ... L16: Skipping plugin installation. You can install plugins later with:`),console.log(" devflow plugin list"),console.log(` devflow plugin install <name> L17: `);return i}async function N(e){let o=[],n;e.sseUrl?n={url:e.sseUrl}:n={command:e.command??"devflow-mcp",args:["--mode","stdio"]};let t=e.agent?[e.agent]:await import('@devflow-too... L18: `);if(o.length>=2){let n=parseInt(o[0],10);if(!isNaN(n))return n}return null}function x(e){if(!existsSync(e))return null;let o=readFileSync(e,"utf-8").trim().split(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
12Installing selected plugins... L13: `);for(let s of i)try{execSync(`npm install -g ${s}`,{stdio:"inherit"}),console.log(`\u2713 ${s} L14: `);}catch{console.error(`\u2717 Failed to install ${s}
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L12
matchType = normalized_sha256 matchedPackage = @devflow-tools/devflow@0.8.5 matchedPath = dist/cli.js matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvZGV2Zmxvdw:0.8.5 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 5b3f7fc01db880e4 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @devflow-tools/devflow@0.8.5 matchedPath = dist/cli.js matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvZGV2Zmxvdw:0.8.5 similarity = 1.000 shingleOverlap = 5 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

dist/cli.jsView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L2: // L3: // Auto-configures .claude/hooks.json in the consuming project so that Claude L4: // Code invokes the devflow PreToolUse hook on every tool call. ... L11: L12: import { writeFileSync, existsSync, mkdirSync, readFileSync } from 'node:fs'; L13: import { join, dirname } from 'node:path'; ... L55: L56: const claudeDir = join(projectRoot, '.claude'); L57: const hooksFile = join(claudeDir, 'hooks.json'); ... L59: L60: // 1. Ensure .claude/ directory exists L61: if (!existsSync(claudeDir)) { Payload evidence from dist/plugin/skills/devflow:doctor/SKILL.md: L1: --- L2: name: devflow:doctor
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
dist/dashboard-standalone.tar.gzView file
path = dist/dashboard-standalone.tar.gz kind = high_entropy_blob sizeBytes = 12111990 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/dashboard-standalone.tar.gzView on unpkg
path = dist/dashboard-standalone.tar.gz kind = compressed_blob sizeBytes = 12111990 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/dashboard-standalone.tar.gzView on unpkg

Findings

1 Critical8 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighRuntime Package Installdist/cli.js
HighShips High Entropy Blobdist/dashboard-standalone.tar.gz
HighKnown Malware Source Similaritydist/cli.js
HighKnown Malware Source Fingerprint Signaturedist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobdist/dashboard-standalone.tar.gz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License